AssumeRoleWithSAML

Returns a set of temporary security credentials for users who have been authenticated
via a SAML authentication response. This operation provides a mechanism for tying
an
enterprise identity store or directory to role-based AWS access without user-specific
credentials or configuration. For a comparison of AssumeRoleWithSAML with the
other APIs that produce temporary credentials, see Requesting Temporary Security
Credentials and Comparing the
AWS STS APIs in the IAM User Guide.

The temporary security credentials returned by this operation consist of an access
key
ID, a secret access key, and a security token. Applications can use these temporary
security
credentials to sign calls to AWS services.

The temporary security credentials are valid for the duration that you specified when
calling AssumeRole, or until the time specified in the SAML authentication
response's SessionNotOnOrAfter value, whichever is shorter. The duration can be
from 900 seconds (15 minutes) to a maximum of 3600 seconds (1 hour). The default is
1
hour.

The temporary security credentials created by AssumeRoleWithSAML can be
used to make API calls to any AWS service with the following exception: you cannot
call the
STS service's GetFederationToken or GetSessionToken APIs.

Optionally, you can pass an IAM access policy to this operation. If you choose not
to
pass a policy, the temporary security credentials that are returned by the operation
have the
permissions that are defined in the access policy of the role that is being assumed.
If you
pass a policy to this operation, the temporary security credentials that are returned
by the
operation have the permissions that are allowed by the intersection of both the access
policy
of the role that is being assumed, and the policy that you pass. This means that both policies must grant the permission
for the action to be allowed. This gives you a way to further restrict the permissions
for the
resulting temporary security credentials. You cannot use the passed policy to grant
permissions that are in excess of those allowed by the access policy of the role that
is being
assumed. For more information, see Permissions for
AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity in the
IAM User Guide.

Before your application can call AssumeRoleWithSAML, you must configure
your SAML identity provider (IdP) to issue the claims required by AWS. Additionally,
you must
use AWS Identity and Access Management (IAM) to create a SAML provider entity in your
AWS account that represents
your identity provider, and create an IAM role that specifies this SAML provider in
its
trust policy.

Calling AssumeRoleWithSAML does not require the use of AWS security
credentials. The identity of the caller is validated by using keys in the metadata
document
that is uploaded for the SAML provider entity for your identity provider.

Important

Calling AssumeRoleWithSAML can result in an entry in your AWS
CloudTrail logs. The entry includes the value in the NameID element of the SAML
assertion. We recommend that you use a NameIDType that is not associated with any
personally
identifiable information (PII). For example, you could instead use the Persistent
Identifier
(urn:oasis:names:tc:SAML:2.0:nameid-format:persistent).

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

DurationSeconds

The duration, in seconds, of the role session. The value can range from 900 seconds
(15
minutes) to 3600 seconds (1 hour). By default, the value is set to 3600 seconds. An
expiration
can also be specified in the SAML authentication response's SessionNotOnOrAfter
value. The actual expiration time is whichever value is shorter.

Note

This is separate from the duration of a console session that you might request using
the returned credentials. The request to the federation endpoint for a console sign-in
token
takes a SessionDuration parameter that specifies the maximum length of the
console session, separately from the DurationSeconds parameter on this API. For
more information, see Enabling SAML 2.0
Federated Users to Access the AWS Management Console in the
IAM User Guide.

Type: Integer

Valid Range: Minimum value of 900. Maximum value of 3600.

Required: No

Policy

An IAM policy in JSON format.

The policy parameter is optional. If you pass a policy, the temporary security
credentials that are returned by the operation have the permissions that are allowed
by both
the access policy of the role that is being assumed, and the policy that you pass. This gives you a way to further restrict the permissions
for the resulting temporary security credentials. You cannot use the passed policy
to grant
permissions that are in excess of those allowed by the access policy of the role that
is being
assumed. For more information, Permissions for
AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity in the
IAM User Guide.

The format for this parameter, as described by its regex pattern, is a string of
characters up to 2048 characters in length. The characters can be any ASCII character
from the
space character to the end of the valid character list (\u0020-\u00FF). It can also
include
the tab (\u0009), linefeed (\u000A), and carriage return (\u000D) characters.

Note

The policy plain text must be 2048 bytes or shorter. However, an internal conversion
compresses it into a packed binary format with a separate limit. The PackedPolicySize
response element indicates by percentage how close to the upper size limit the policy
is,
with 100% equaling the maximum allowed size.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Pattern: [\u0009\u000A\u000D\u0020-\u00FF]+

Required: No

PrincipalArn

The Amazon Resource Name (ARN) of the SAML provider in IAM that describes the
IdP.

Response Elements

The value of the Recipient attribute of the
SubjectConfirmationData element of the SAML assertion.

Type: String

Credentials

The temporary security credentials, which include an access key ID, a secret access
key, and a security (or session) token.

Note: The size of the security token that STS APIs return is
not fixed. We strongly recommend that you make no assumptions about the maximum size.
As of
this writing, the typical size is less than 4096 bytes, but that can vary. Also, future
updates to AWS might require larger sizes.

A hash value based on the concatenation of the Issuer response value, the
AWS account ID, and the friendly name (the last part of the ARN) of the SAML provider
in
IAM. The combination of NameQualifier and Subject can be used to
uniquely identify a federated user.

A percentage value that indicates the size of the policy in packed form. The service
rejects any policy with a packed size greater than 100 percent, which means the policy
exceeded the allowed space.

Type: Integer

Valid Range: Minimum value of 0.

Subject

The value of the NameID element in the Subject element of the
SAML assertion.

Type: String

SubjectType

The format of the name ID, as defined by the Format attribute in the
NameID element of the SAML assertion. Typical examples of the format are
transient or persistent.

If the format includes the prefix
urn:oasis:names:tc:SAML:2.0:nameid-format, that prefix is removed. For example,
urn:oasis:names:tc:SAML:2.0:nameid-format:transient is returned as
transient. If the format includes any other prefix, the format is returned with
no modifications.

Type: String

Errors

For information about the errors that are common to all actions, see Common Errors.

ExpiredToken

The web identity token that was passed is expired or is not valid. Get a new identity
token from the identity provider and then retry the request.

HTTP Status Code: 400

IDPRejectedClaim

The identity provider (IdP) reported that authentication failed. This might be because
the claim is invalid.

If this error is returned for the AssumeRoleWithWebIdentity operation, it can
also mean that the claim has expired or has been explicitly revoked.

HTTP Status Code: 403

InvalidIdentityToken

The web identity token that was passed could not be validated by AWS. Get a new identity
token from the identity provider and then retry the request.

HTTP Status Code: 400

MalformedPolicyDocument

The request was rejected because the policy document was malformed. The error message
describes the specific error.

HTTP Status Code: 400

PackedPolicyTooLarge

The request was rejected because the policy document was too large. The error message
describes how big the policy document is, in packed form, as a percentage of what
the API allows.

HTTP Status Code: 400

RegionDisabled

STS is not activated in the requested region for the account that is being asked to
generate
credentials. The account administrator must use the IAM console to activate STS in
that
region. For more information, see Activating and Deactivating AWS
STS in an AWS Region in the IAM User Guide.

HTTP Status Code: 403

See Also

For more information about using this API in one of the language-specific AWS SDKs,
see the following: